Krebs on Security

In-depth security news and investigation

Hay Maker Seeks Cyberheist Bale Out

An Oregon agricultural products company is suing its bank to recover nearly a quarter-million dollars stolen in a 2010 cyberheist. The lawsuit is the latest in a series of legal challenges seeking to hold financial institutions more accountable for costly corporate account takeovers tied to cybercrime.

On Sept. 1, 2010, unidentified computer crooks began making unauthorized wire transfers out of the bank accounts belonging to Oregon Hay Products Inc., a hay compressing facility in Boardman, Oregon. In all, the thieves stole $223,500 in three wire transfers of just under $75,000 over a three day period.

According to a complaint filed in Umatilla County Circuit Court, the transfers were sent from Oregon Hay’s checking account at Joseph, Ore. based Community Bank to JSC Astra Bank in Ukraine. Oregon Hay’s lawyers say the company had set a $75,000 daily limit on outgoing wires, so the thieves initiated transfers of $74,800, $74,500 and $74,200 on three consecutive days.

Unfortunately for both parties in this dispute, neither Oregon Hay nor Community Bank detected anything amiss until almost two weeks after the fraud began; on Sept. 14, the victim firm found it was unable to access its accounts online. But by that time, the money was long gone.

Both Oregon Hay and Community Bank declined to be interviewed for this story.

Businesses do not enjoy the same legal protections afforded to consumer banking customers hit by cyber thieves, and most organizations can be held responsible for any losses due to phishing or account takeovers. But as cyberheists have ramped up dramatically over the past several years, a number of victim companies have opted to sue their financial institutions in the hopes of recovering the losses.

COMMERCIALLY REASONABLE?

Oregon, like most states, has adopted the Uniform Commercial Code, which means that a payment order received by the bank is effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer.

In its complaint, Oregon Hay targets Article 4A of the UCC, alleging that Community Bank’s online account security procedures were not commercially reasonable given the sophistication of today’s threats, and that the bank did not accept the fraudulent payment orders in good faith.

The plaintiffs claim that the bank’s security systems did not rise to the level of recommendations issued by banking regulators at the U.S. Federal Financial Institutions Examination Council (FFIEC), which urged the use of multi-factor authentication to verify the identity of users attempting to log in to a financial institution’s online banking software. Multi-factor authentication requires the presentation of two or more of the three authentication factors: something the user knows, such as a password or PIN; something the user has, such as a smart card or one-time token; and something the user is, such as a fingerprint or iris scan.

According to the lawsuit, at the time of the theft Community Bank relied on a Jack Henry product called “Multifactor Premium with Watermark,” which relied on a combination of “device IDs” — a software “cookie” that identifies the user’s computer — and “challenge/response” questions, which attempt to verify a user’s identity by asking him for answers to questions about his personal or financial history.

Lance James, chief scientist at Jersey City, NJ based security firm Vigilant, said Community Bank’s use of secret images and challenge questions did not constitute multi-factor authentication because these approaches are simply multiple solutions from the same authentication category.

James noted that all three fraudulent wires were sent from Internet addresses that the victim firm had never before used. In addition, James said, records show that in the course of their robbery, the thieves made 37 unsuccessful login attempts from five different IP addresses over a six-day period.

“If the ‘IP restriction’ and ‘RSA Blocked Access Setting’ features had been turned on, the individuals using other IP addresses would not have been able to log in to Oregon Hay’s online account with Community Bank, their log in efforts would have been automatically blocked, and Community Bank alerts to such deviations, including the use of different IP addresses,” James wrote in a declaration in support of the plaintiffs filed with the circuit court.

Mark Hargrave, a partner with the law firm Stinson Morrison Heckler in Kansas City, said given the number of these cyberheist cases being brought and the media attention paid to them, the odds of a commercial customer bringing some kind of claim against a financial institution in the wake of a cyberheist are a lot higher than they were just two- to three years ago.

“It’s now much more likely that a business that’s been victimized is going to consider legal action,” Hargrave said.

Hargrave said that judges will look at all relevant cases, whether or not the decision is binding in their jurisdiction.

“Even if it’s not mandatory precedent, these decisions are persuasive because by and large article 4A of the UCC is uniform across the states, and so a court in Georgia looking at one of these cases, for example, is likely to look what other states are doing,” he said. “The definition of what constitutes ‘good faith’ definitely is squishy, it gives the court wide discretion to determine that an action was or was not carried out in good faith. It used to be in the UCC that ‘good faith’ meant you were acting honestly. Now, the courts are asking, ‘In the totality of the circumstances, was the bank treating the customer unfairly or trying to take advantage?'”

This entry was posted on Thursday, April 11th, 2013 at 8:35 am and is filed under Target: Small Businesses.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

Instead of spending our money and effort on protecting our assets, cyber and otherwise, we call in the shysters to sue after the fact. How typically American.

This is a logical consequence of our national priority that maximizing the CEO’s golden parachute is more important than basic competence.

Companies could implement policies to prevent this at a trivial cost. Hire an unemployed American IT contractor to build a PC to run Linux and make it company policy that only banking access is to be performed on that PC (yes, they could also use a Live CD, but this is even easier for the PC-illiterate employee). Enforce it with a fire-on-sight policy for violators and hold mandatory education classes to inform all relevant workers that this policy is no joke.

Another thing to consider is a no-unverified-attachments policy, i.e. employees cannot open any email attachment before calling the sender to verify that an email was indeed sent.

Will this slow things down? You betcha, but the loss of 0.25 million dollars will also put a crimp in productivity.

annnnndd we cycle back to the topic….long-term unemployment is the condition that preps many a job seeker to become a money mule!

actually, I think a lot of these mules are simply not the brightest bulbs in the box, and aren’t asking too many questions. this breach, of course, did not involve money mules, at least not here in the US.

And then you discover that the old Depression-era song — “Nobody knows you when you’re down and out” — is based in fact.

People you thought were friends at work reveal themselves to be Fox News / CNBC hillbillies when they refuse to reply to your emails from your home address.

And if a company even bothers to respond to a job application — and this is rare indeed — they often reply almost immediately with a sentence to the effect that “You did not meet our minimum requirements,” in other words, they do not consider unemployed candidates.

I agree on a priority shift, but after a certain period of time I believe a return to ‘norm’ occurs, perhaps even more enforced by fear of ‘what if I lose my employment again’? Which might lead instead to more insider threat.

quite a stretch you have attempted, trying (and failing) to connect this incident somehow to “CEO’s golden parachutes”. It sounds as though you are blaming the victim.

As for bringing in the “shysters”, it is perfectly rational for the company that was victimized by theft to sue the bank. Banks SHOULD be accountable for these types of crimes, but they won’t do it because the crimes don’t hurt them.

One simple and fast way to solve this problem would be for business customers to be granted similar legal protections for banking thefts as consumers are currently granted. Banks would instantaneously implement policies and technical means to prevent the vast majority of these cyber thefts.

“quite a stretch you have attempted, trying (and failing) to connect this incident somehow to “CEO’s golden parachutes”. It sounds as though you are blaming the victim.”

Ah, another CEO wannabe!

Many of the readers here, not to mention Brian, could have advised the haymakers on proper avoidance of trojans. But these companies, by and large, do not bother. They ignore the advice of IT professionals or are too cheap to hire them. In the parlance of the security trade, they accept the risk, whether they understand it or not.

I wonder how many people here bothered to do an Internet search on “Oregon Hay Products Inc” which leads to http://hay4u.com/. At http://hay4u.com/follen.html is an ironic sentence “We give foreign buyers a direct link to American agricultural products.” More like “We give foreign thieves a direct link to our bank account.”

Especially coming so soon after so many failed login attempts from IPs that had never been used to access the account. Taken individually they’re not red flags but taken together, as a sequence of events, they should raise one.

Man, this is tough. Another company gets whacked for funds they cannot afford to lose. Its a learning experience. Its either jumping through hoops or doing security by obscurity – hoping one doesn’t caught with their pants around thy ankles.

Maybe its me, but commmmon, if there are multiple attempts to login to an account, it should have thrown a red flag to something / some one? No account lockouts? No security personnel looking over audit logs? No emails to the bank or account holder stating their account has had an excessive amount of log in failures?

It boils down to due diligence and due care. The prudent man rule should come into play. If sugnificant protections are not in place to notify the bank and/or account holder of a potential incident on the account, who is at fault?

Blocking IP’s is becoming harder with BOT-nets. If I am overseas, and I know my IP is blocked by an organization, whay can’t I simply use one of the bot infested computers to bounce off of? Or I use a Dynamic DNS, or spoof my address? There are alot of ways to get around IP block lists. For businesses – there should be a list of Ip’s that are considered trusted, and the only IP’s that are allowed to communicate with the bank.

I don’t know this company, but one would figure that the person in charge of finances would log in every once in a while ( like every 2-3 days?) to see what the account balances are and see what payments have cleared (inbound and outbound).

How often does a compnay like this require a quarter of a million dollars in the checking account? Isn’t there a way to stash cash in a virtual location which requires an act of god to get the monies transferred from the virtual vault to the open checking account? One would figure that maybe 50,000 in checking would be enough? Thats where 2 or 3 factor authentication may come into play…. 2 factor authentication, plus a one time password/ authentication number is sent to the phone/email of the account holder. If the account holder email and phone number have changed in the last week or so, it requires a bank officer verification for an override.

Either way, it is a loss. if the company dosn’t recover its funds, then they claim the monies as a loss when tax time comes. I wish them all the best, but honestly both sides are at fault. = \

Unfortunatley bankers are having a hard time getting business clients to understand the dangers of using the internet, and adopting security controls such as dual control, IP restrictions, and access windows, becuase its to much of a “hassle” for them and they believe the bank will be held liable. Now both the bank and the company are going to expend more resources than the accumulated losses. Now that is a “hassle”….

I expect it to go the way of the credit card industry. Once it’s firmly established that the banks are going to be held liable for these losses (which is just my assumption), they’ll begin to require that their customers submit to more stringent security standards. For better or worse, this will bring change more quickly than relying on the individual businesses. This is still a rare enough occurrence that, from any single business’s perspective, it’s not worth committing resources to mitigation.

Many of the suggestions posted previously in these comments would be either transparent to the user, or of little impact. Being called back to confirm an unusually large transfer from a previously-unused computer is not something that most people would find onerous.
But it would require the banks take security more seriously.

Speaking of which,
How many banks do you think know where their data is stored? Who is actually writing the code that transfers the money?

“Just about everything is being outsourced to India or China, so it is likely that the data and programmers reside in India. I’ll bet these corporate types never think of the risk that entails.”

I think this remark is a pointer towards the basic problem – the education and awareness of the user. Internet related fraud takes place not because the software is written in India or the data is stored in China but because of the stupidity of the user, or in this case, both the parties.

As someone who many years ago worked customer support for Bank of America’s Microstar cash management software product, I can tell you that cash management is a problem for many companies.

And in my case, I had access to bank account information for Fortune 500 companies who didn’t have sums of a half million or so – they had SCORES and HUNDREDS of millions in cash in multiple banks across the country and sometimes the world.

A company has to manage its cash in order both to handle its cash flow requirements and its operational requirements, but also to maximize an ROI for cash sitting around by shuffling cash from account to account depending on interest rates, as well as shuffling between cash and short-term investments. This is true for non-financial companies as well as financial instrument companies.

Banks and third party companies have software developed for this purpose which is sold to corporate treasurers. Back in the ’80’s I can tell you from experience that software generally sucked rocks. Don’t know how well it works these days – probably not much as software rarely gets much better.

But in general, yes, companies frequently need large cash balances in accounts depending on their operations and financing needs. As long as the treasurer can get to it, a hacker can.

“Haymaker A punch in which the arm is whipped sideways from the shoulder joint with minimal elbow bend. The name is derived from the motion, which mimics the action of manually cutting hay by swinging a scythe. The haymaker is considered an imperfect/impure punch, as the angle of approach is unsupported by the remainder of the forearm. Since a haymaker’s power is derived completely from weight transfer and momentum instead of muscle contraction, a long windup is required to generate sufficient force. Haymakers, in the form of shoulder punches, are frequently used from a mounted position in mixed martial arts as part of the “ground and pound” method, as the legs cannot be used to generate power. These punches leave the person vulnerable to a counter punch during the wind up, if blocked, or if the haymaker misses generally when both combatants are standing.[13]”

Their is a serious need for a out of band authentication when doing money transfers out of banks. I know with with my bank, I can set up a amount to send on a certain day and it’s gone. I don’t have to do anything just set up the payment and the check is sent. Anyone can go in and transfer any amount on any given date, without me knowing it. Sure, I would be alerted by email, but that would be after the fact. In my opinion, before any money transfer is sent by banks, they should robo call you to confirm the payment by way of typing in a pin code. This would prevent the fraud from happening since the fraudster would have to gain access to your phone and know the pin code ,to initiate the illegal transfer.

There are services specifically to make that difficult or even to hack the process. I am guessing it is also possible to spoof one’s outgoing number and call the bank directly and “let them know” it will happen if you have someone who does not have very pronounced accent “working” for you. There are many ways around this problem. And not everything is done online. Attacks are as complicated as they need to be… when criminals are intelligent enough to make them so.

While I have asked for this at my Credit Union (OOB auth), it’s not something they are able to offer.

What they do have is email notifications. Any ATM over some amount ($120, I think) and I get an email. Any scheduled electronic payment and I get an email. Any new payee being added to the electronic payment system and I get an email. Change in contact information (including email) and I get an email to the old contract info (as well as a paper notification if it was a change to a physical or phone number).

I have these alerts and other critical ones getting polled by my phone. I’d know within 5 minutes of something fishy and I could call up my bank and stop/reverse it.

Additionally, I don’t use my main ATM card anywhere except the official Credit Union ATM. It also has no VISA/MC number tied to it (purposely). I have another account for less-trusted ATM use, and a credit card just for that purpose, and I get email notified on all transactions over $100. I have a credit card that is never physically carried and only used for online purchases (BofA’s ShopSafe which they got when they bought MBNA), which lets me set a 2 month (or more) experation on a temporary credit card number, as well as any dollar limit I wish.

I’ve had zero fraud charges in along time – mostly because you just cannot touch my accounts or I get notified and tell the CC company it is fraud within the hour. A bit of a hassle to set up, and took a little bit to get my wife to go along with it, but really compared to dealing with fraud stuff, it’s great.

My bank now requires authentication by identifying the software “cookie” on my computer. I always clear my cookies and cache when I shut down for the day/night. So, once I login, my financial organization calls to give me a code. After entering my ID and password, I enter the code, which completes the login procedure and takes me to the web site. While my institution requires you to have a phone number on file, you can easily change it during the login procedure.

Any clue how the crooks got an authenticated cookie? Or is getting an authenticated cookie pretty easy.

I agree with you Nic. And I do not believe that that is “victim blaming” any more than those frivolous lawsuits that keep showing up in the US demanding “reparations” because of too-hot coffee. You make bad judgment calls. You pay. It does not matter if it is inconvenient. Call it an expensive lesson and maybe pay more attention.

My point is more that everyone is trying to outsource their blame. Not just their software. I’d be more interested in knowing it this Hay company realises it is at fault and is still interested in legal reparations, or if it truly believes it did no wrong whatsoever. I am particularly interested to know if the answer falls somewhere in between.

Just like no one would have submitted to body searches until 9/11, companies and banks won’t admit that cyber-crime is a problem until they get burned.

A few people here have suggested that banks implement highly restrictive policies, but do you really think ignorant customers will stand for it? I suspect many of them will switch banks to find one which will kiss their corporate rear right up to the point where they are hacked.

Everyone wants security without paying a price in overhead, but there ain’t no free lunch, or as the Russians say, the only free cheese is in mouse traps.

I am sure I will hear from the “regulations are killing our economy” crowd, but the appropriate banking regulator needs to dictate some policies. If our elected free-loaders were interested in solving the problem, they could convene a panel including Brian and others who have experience with the problem.

I’ve mentioned here previously that this sort of thing is only going to get more prevalent until changes are FORCED on the software and telecom – and banking – industries by the sheer calumny of corporations nailed to the wall by hacks.

This story reminds me, when are we going to see the Vanguard Group adopt two-factor authentication for their website? (https::/personal.vanguard.com) It just seems odd to me that the biggest mutual-fund finance company in the world uses similar security to Joseph, Oregon’s Community Bank in 2010.

Quick comment about IPs: A lot of execs (who non-coincidentally have access to financial accounts in most if not all “small” companies) travel; IP security would greatly inconvenience a lot of people — in fact it already does, just like geographical profiling can often do (take a vacation without your bank knowing before and try to use debit card in foreign country or access funds for business transaction and find your account locked is not fun). IP security doesn’t solve anything anyway!

Banks do not want to spend the 30 dollars or so to send all customers proper one time tokens. But that does not excuse bank’s customers from being idiots.

There are alternative ways that banks can allow people who travel the “luxuary” of logging in and doing business. All it takes is a bit of coordination.

One time passwords dont have to be complicated, all it has to be is a string of charecters. Its up front cost may be a bit costly, but how much do banks and credit card companies lose each year due to theft? Hundreds of Millions if not more…..BUT

As long as banks can live off other people’s money via Interest charges, same as the credit card companies, and remain in the black vice red, this will always be a problem.

The issue with banks is this; They get into a comfortable, secure or semi secure environment and it takes an act of God for them to consider changing their ways. That resistance – is known by the crooks as well, and that is why Banks and CC companies will feed the leeches potentially to the end of the century.

Creating a “virtual vault” is something quite simple; There are many smarter individuals when it comes to encryption and security services that could draw up a multifactor authentication control to make the majority of issues like this become less of an impact.

Out of band authentication is critical with high risk transactions. Nothing is fool proof anymore these days. A layered security approach is the best option when dealing with wire transfers or ACH activity. Sounds like the bank did not perform a very good risk assessment with their internet banking products.

I think these situations are really tough. In this scenario (and every other similar scenario I’ve read about) I support the small business. It ticks me off that the banks don’t have to reimburse them. The problem, though, is that companies need to take some level of accountable for securing their own assets.

To me the blade cuts both ways. On the one hand a bank is just retarded if it’s not using MFA and other good security measures. I mean, 37 unsuccessful logins weren’t detected and red flagged? Come on.

On the flip side the business could have chosen to move their banking to a branch that DID offer good security. If I had hundreds of thousands of dollars in my account then my first question to the bank would be, “What kind of security measures do you have in place to keep this from being stolen?” You don’t have to be a security professional or rocket scientist to figure out that you need to ask that question. It’s just common sense.

Like I said, at the end of the day I come down on the side of the small business. Most small business owners can’t afford a dedicated IT staff and banks can. Banks owe it to their customers to properly protect their assets. Still, more awareness of this issue is critically needed. At the end of the day this problem isn’t going away and placing blame solely on one party isn’t the solution. Banks need to protect their assets properly and small businesses need to invest the time and energy necessary to do their research and place their assets in banks that offer that security.

One other thing… I wonder if it is good for society or bad for society if we allow more sympathy for smaller companies. This definitely impacts this smaller company in a large way, but for a medium-sized or larger company it would be a lot less of a big deal. Is it possible small businesses expect more protection from their banks than less-small ones? Is it fair for them to?

In addition to following Brian Kreb’s Best Practices, sole proprietors, not-for-profits, and small businesses may apply for CyberHeist insurance at http://www.cdiaus.com for as little as $100 per year.